Jetico alerts

My apologies if this has already been covered: when reverting back to factory settings in "Optimal Protection" mode in JPF1, many alerts pop up (which everyone knows, and many complain about). These are understandable because the FW is learning which programs and applications should get access and which should not. OK, no problem.

What I want to know is: I am getting bunches of alerts for my Skype application; they come in clusters of at least 3, but sometimes up to 10 or 12 requests, one after another. The requested ips are different or the ports are different, so JPF is asking for permission on each one. OK, no problem.

But because this happens so much with Skype (and primarily Skype, as of course other queries pop up, just not so many; my second biggest requester comes from Firefox) my question is: are these clusters of queries being generated based upon the list of "contacts" I have on my Skype list of contacts (or FFox browser outbounds/inbounds)?? Iow, whenever a contact sends me a query, or whenever JPF notices another contact in Skype, is *this* the cause of all these alerts coming in rapid succession??

What I want to know is: I am getting bunches of alerts for my Skype application; they come in clusters of at least 3, but sometimes up to 10 or 12 requests, one after another. The requested ips are different or the ports are different, so JPF is asking for permission on each one. OK, no problem.

Click to expand...

I don't use Jetico 1 but I do use Jetico 2 on one of my pc's. I also don't use Skype. If you can create custom tables in the left-hand pane of the configuration wizard, then that may be the way to go. You could create one named "skype" under Network Activity, then, if it is possible in Jetico 1, create rules from the "Ask" log entries. Make sure you have logging enabled for the "Ask" rule and select "Warning" or "Alert" for the log level entry. This way the logged alerts will be in red, making them easy to find. right-click the alerts for Skype and select "create rule", then choose the Skype table to place the rules in. You will probably have to go into the table later to fine-tune the rules by creating port ranges and/or ip address ranges so that you don't have so many individual rules.

This info is based on the way rules can be created from log entries in Jetico 2. Hopefully the same can be done in Jetico 1.

I don't use Jetico 1 but I do use Jetico 2 on one of my pc's. I also don't use Skype. If you can create custom tables in the left-hand pane of the configuration wizard, then that may be the way to go. You could create one named "skype" under Network Activity, then, if it is possible in Jetico 1, create rules from the "Ask" log entries. Make sure you have logging enabled for the "Ask" rule and select "Warning" or "Alert" for the log level entry. This way the logged alerts will be in red, making them easy to find. right-click the alerts for Skype and select "create rule", then choose the Skype table to place the rules in. You will probably have to go into the table later to fine-tune the rules by creating port ranges and/or ip address ranges so that you don't have so many individual rules.

This info is based on the way rules can be created from log entries in Jetico 2. Hopefully the same can be done in Jetico 1.

Click to expand...

Thanks for the suggestions. Tuning these rules is not so much the problem. I know I can do that. My question is whether the pop-ups I get for Skype are related with the "contacts" (address book) in my Skype. I know after a week or so (since I re-set the Optimal Protection to the default) these pop-ups will diminish until they occur only when I do go to a new web-site or something like that. Since you don't use Skype, I guess it's hard for you to see the same thing as I am talking about.

I've got the same problem with Yahoo Messenger. However when the pop-up is up, I chose the "Handle as" option and chose Application Trusted Zone, and everything goes fine here. One more thing I noticed in Jetico is my VOIP program. I talked my friend, but sometimes she can't hear what I was saying.

My question is whether the pop-ups I get for Skype are related with the "contacts" (address book) in my Skype.

Click to expand...

No, you are not connecting 'directly' to other Skype users. Skype is a P2P type of software, but it is used for other things than file-sharing. Your connection goes through random Skype servers all over the world, and this may be the reason you are getting popups from Jetico for different IP addresses. Which server will be used for connection depends on which party initializes the connection, so you may see a lot of popups for different IP addresses.

Are you trying to make rules in Jetico for Skype for specific IP addresses? You should not bother with this, rather try to bind your rules to specific (1024-65535 TCP out UDP in) ports only. Skype will need TCP outbound connections on 80 and 443 ports as well. This is what the default rule for Skype in Jetico 2 says, as well as Skype help on homesite

Hi, this means I have to definea specific rule for my installed applications. Do u know any other way so that Jetico can handle things like comodo or other firewalls do other than defining rules one by one?

Do u know any other way so that Jetico can handle things like comodo or other firewalls do other than defining rules one by one?

Click to expand...

Jetico v2 have some preconfigured rulesets by default, such as for P2P software, IMs, Skype, etc. When you receive a popup from Jetico, you can select "Handle as..." and select the appropriate ruleset for your type of application (Web browser, P2P,...). It's as simple as that.

It was a long time ago when I used Jetico v1, so I don't really remember which default rulesets it comes with, except for Web browsers, mail clients and some other basics (DNS?). Jetico is pretty much do-it-yourself type of firewall. You would need to have some basic knowledge on networking, and to be aware of which resources (ports) your apps use to make appropriate rules.

I am not sure how Comodo handles/creates application rules now, but when I used it (for a very short time) I remember that I had to make my own rules for (example) P2P.

No, you are not connecting 'directly' to other Skype users. Skype is a P2P type of software, but it is used for other things than file-sharing. Your connection goes through random Skype servers all over the world, and this may be the reason you are getting popups from Jetico for different IP addresses. Which server will be used for connection depends on which party initializes the connection, so you may see a lot of popups for different IP addresses.

Are you trying to make rules in Jetico for Skype for specific IP addresses? You should not bother with this, rather try to bind your rules to specific (1024-65535 TCP out UDP in) ports only. Skype will need TCP outbound connections on 80 and 443 ports as well. This is what the default rule for Skype in Jetico 2 says, as well as Skype help on homesite

Cheers,

Click to expand...

Thanks, Seer (Nick). I have not bothered trying to make any rules yet. On my first go-around with JPF1 a year+ ago, I would put frequently used apps, like Skype, into the "trusted zone", but I later heard that this might be leaving too much of an opening for something to come in and mimic Skype, fooling JPF to thinking it was Skype when in fact it was malware. So I have since used individual approvals for each pop-up; I have clicked to "allow" while leaving the "remember this decision" box in the dialogue window. It takes longer to do it this way, and I get a lot of pop-ups for a while, but eventually the pop-ups taper off. They only return when I go into new territory and JPF wants to know how to handle it.

I know there is a rules set somewhere; I think Stem or somebody like that set one up for Jetico. Maybe I should take a deeper look into it (?).

I have since used individual approvals for each pop-up; I have clicked to "allow" while leaving the "remember this decision" box in the dialogue window.

Click to expand...

This is not the best way to handle Jetico firewall. When you are about to establish network connection, Jetico will ask (with popup) for protocol, port and IP address. By clicking "allow" with "remember" you are creating a rule for every single address your app is accessing, which is not really necessary, and in Skype's case it is almost impossible to achieve a steady ruleset (without further prompts). Instead of "allow" you shoud select "custom" and create the following rules in your application table-

for TCP

and for UDP

Skype should work correctly after that without further prompts. Note that under "application" I entered "Skype path", as I don't have Skype installed at the moment. You would need to browse to Skype's executable in that field by clicking "...".

This is not the best way to handle Jetico firewall. When you are about to establish network connection, Jetico will ask (with popup) for protocol, port and IP address. By clicking "allow" with "remember" you are creating a rule for every single address your app is accessing, which is not really necessary, and in Skype's case it is almost impossible to achieve a steady ruleset (without further prompts). Instead of "allow" you shoud select "custom" and create the following rules in your application table-

Skype should work correctly after that without further prompts.

Please repost back with your results.

Cheers,

Click to expand...

Hello, Seer,

OK, I did as you suggested. I still get some pop-ups, I think because the IP address of the remote may need to be set in rule (??). (I hesitate to put a range of IP addresses because I'm not that knowledgable about IP addresses, which are safe and which want to steal the computer. Could IP address variations cause the fw to prompt me??)

I had to actually install Skype to check this properly. BTW, this is my first encounter with Skype I entered the above rules rules (plus "acces to network" rule of course), and all is well here, I am not getting any popups from Jetico, I am logged in and Skype works. I got two popups from Skype's other proces though, the Plugin Manager (skypepm.exe) for remote TCP ports 443 and 37 (outbound), so I created the rules for them as well. This plugin manager can be disabled from Skype's preferences, so these rules are not really needed for Skype's proper operation.

SamSpade said:

I still get some pop-ups, I think because the IP address of the remote may need to be set in rule (??).

Click to expand...

No need to set the rule(s) for any IP address, as I said before, just bind your rules to correct ports. You should set the IP address field in every rule to "any", local and remote.

I had to actually install Skype to check this properly. BTW, this is my first encounter with Skype I entered the above rules rules (plus "acces to network" rule of course), and all is well here, I am not getting any popups from Jetico, I am logged in and Skype works. I got two popups from Skype's other proces though, the Plugin Manager (skypepm.exe) for remote TCP ports 443 and 37 (outbound), so I created the rules for them as well. This plugin manager can be disabled from Skype's preferences, so these rules are not really needed for Skype's proper operation.

No need to set the rule(s) for any IP address, as I said before, just bind your rules to correct ports. You should set the IP address field in every rule to "any", local and remote.

Cheers,

Click to expand...

I'm refining as I go here. Still getting some pop-ups for Skype. Have entered the port range for both incoming and outgoing as "1024-65355", except where Jetico has already entered "any"; then I just leave it be.

Can you be more specific? Popups for which exact process on which port/protocol? A screenshot of popup perhaps...?

Click to expand...

Sorry, I'm not able to do a screen shot; file is too big, I guess.

Anyway, I was getting one after another. I must have made at least a dozen rules, giving port access from 80-65355, and then "any", but the pop-ups kept coming. I finally bagged it and uninstalled JPF1. I trialed JPF2 some months ago, and it is more refined, probably doesn't have this hassle, but at 39 euro + 18% tax, that's about $60 for a firewall. No thanks. I'm using the Comodo FW 2.4.xx, and it's working fine. Lower on resources than last year.

What a difference ten days makes!! I went back to Comodo 2.4, but just didn't like the way it slowed down my internet connection, used more resources than Jetico, and the murky feeling I get from not knowing what all is happening.

So, here I am, back with Jetico 1 again!! I really like this kind of firewall the best. Call me a "control freak" or whatever. I don't care.

So, this time I followed your advice above to the letter, plugging in all the parameters exactly as you show above, and now all seems running well. It's quiet, smooth, and using as few resources as before. At least concerning Skype pop-ups, everything is good.

Now I do have a couple of questions regarding the way connections are handled in Jetico:

1. Why do you leave unchecked: the "override port" in "Local Address"/"type: any"? What does that do? What would happen if I checked "override port"?

2. For "Remote Address"/ "Address Type", you say to choose "any" rather than the default "host". Why? What is the difference between allowing connection to a "host" and "any"?? I feel a bit skittish about allowing "any", and I feel better about allowing a "host". Just a feeling I have, no particular reason except "host" sounds more specific than "any".

3. Then, the fact that you *do* check "override port" for this remote connection -- why is that?? Why not "override port" for local connection and "override port" for remote connection??

If you can help understand these finer points I think I can understand not only how Jetico works but also how internet connections are made, which would be great to know.

1. Why do you leave unchecked: the "override port" in "Local Address"/"type: any"? What does that do? What would happen if I checked "override port"?

Click to expand...

When outbound connections are being made, the application will normally use a random local port (usually a port available between 1024-5000). You could overide the local ports used, but you would need to place a "port range" (as mentioned) or you would get further popups.

SamSpade said:

2. For "Remote Address"/ "Address Type", you say to choose "any" rather than the default "host". Why? What is the difference between allowing connection to a "host" and "any"?? I feel a bit skittish about allowing "any", and I feel better about allowing a "host". Just a feeling I have, no particular reason except "host" sounds more specific than "any".

Click to expand...

"Any" is any IP, to place a rule for "host" would intend only connections to that one IP, further rules would then be needed for each/every IP connected to. You could do this, but be aware of the popups you would get (and would advise that you should setup a table, so for every rule created (for each IP) would be grouped into its own table (for ref, editing)

SamSpade said:

3. Then, the fact that you *do* check "override port" for this remote connection -- why is that?? Why not "override port" for local connection and "override port" for remote connection??

Click to expand...

Remote ports within a connection are normally static. As with when you connect to websites, This will normally connect to remote port 80 (there are some alternative ports used). [This restriction would normally be put in place so the application is not allowed (for example) to send out mail.]

When outbound connections are being made, the application will normally use a random local port (usually a port available between 1024-5000). You could overide the local ports used, but you would need to place a "port range" (as mentioned) or you would get further popups.

Click to expand...

Thanks, Stem. I understand better now. So, if I *wanted* to limit the port range of my outbound connections, would this ever cause a connection to fail because the app wanted to use a different port than the ones in my range??

To simplify matters what potential harm might there be in just allowing "any" port of mine to be used for outbound??

Stem said:

"Any" is any IP, to place a rule for "host" would intend only connections to that one IP, further rules would then be needed for each/every IP connected to. You could do this, but be aware of the popups you would get (and would advise that you should setup a table, so for every rule created (for each IP) would be grouped into its own table (for ref, editing)

Click to expand...

Then, what potential for harm would there be in just allowing "any" IP?? Of course, there are IPs out there that I know I do not want to connect to; wouldn't my hosts file stop that? What, if any, other preventions could I implement to keep out unwanted IPs??

Stem said:

Remote ports within a connection are normally static. As with when you connect to websites, This will normally connect to remote port 80 (there are some alternative ports used). [This restriction would normally be put in place so the application is not allowed (for example) to send out mail.]

Click to expand...

So is it safer to place a very restricted set of remote ports to connect to, or is that too uncertain?? (because we don't know if a good IP connection would use a new port??)

Just lettin everyone know....I tried to install jetico v2 on my dell laptop xpsp2....installed fine....but uninstall is a whole different story....said it was uninstalled but services stayed and reg keys stayed.....installed uninstalled 10 times without resolution....found a manual way to remove registered files (ocx), services and reg keys....windows never went back to running smoothly....had to format and start over....I dont recommmed trying jetico on anything but a test machine...

Thanks, Stem. I understand better now. So, if I *wanted* to limit the port range of my outbound connections, would this ever cause a connection to fail because the app wanted to use a different port than the ones in my range??

Click to expand...

From the default Jetico config, you would get a popup if other local ports are needed. This is possible if you have many connections established.

SamSpade said:

To simplify matters what potential harm might there be in just allowing "any" port of mine to be used for outbound??

Click to expand...

Where the remote port is restricted within the rules, then there is no main concern on this. Only if you where you to place a rule with "any local" and "any remote" ports would I have concern.

SamSpade said:

Then, what potential for harm would there be in just allowing "any" IP?? Of course, there are IPs out there that I know I do not want to connect to; wouldn't my hosts file stop that? What, if any, other preventions could I implement to keep out unwanted IPs??

Click to expand...

With trusted software, the concerns are the same as you should have as with where your browser connects to.
An Hosts files will prevent DNS lookups for those site within the Hosts file, and can then block such connections. You could also look at an app such as Peerguardian that can import blocklists (and block known malware/spider etc IP`s)

SamSpade said:

So is it safer to place a very restricted set of remote ports to connect to, or is that too uncertain?? (because we don't know if a good IP connection would use a new port??)

Click to expand...

You can resrtict to remote ports. If other are needed, then you would get a popup for this.

Just lettin everyone know....I tried to install jetico v2 on my dell laptop xpsp2....installed fine....but uninstall is a whole different story....said it was uninstalled but services stayed and reg keys stayed.....installed uninstalled 10 times without resolution....found a manual way to remove registered files (ocx), services and reg keys....windows never went back to running smoothly....had to format and start over....I dont recommmed trying jetico on anything but a test machine...

Click to expand...

I have seen other similar posts to this with un-install problems. I personally dont uninstall, I revert back to an image.

Please report this directly to Jetico support, unless report/complaint is made, this problem will not change (it will continue).

From the default Jetico config, you would get a popup if other local ports are needed. This is possible if you have many connections established.

Where the remote port is restricted within the rules, then there is no main concern on this. Only if you where you to place a rule with "any local" and "any remote" ports would I have concern.

Click to expand...

Because an app may be a forgery or spoofed, then call out to a bogus/malware site?? Or.... ?

Stem said:

With trusted software, the concerns are the same as you should have as with where your browser connects to.
An Hosts files will prevent DNS lookups for those site within the Hosts file, and can then block such connections. You could also look at an app such as Peerguardian that can import blocklists (and block known malware/spider etc IP`s)

You can resrtict to remote ports. If other are needed, then you would get a popup for this.

Click to expand...

I see. So if I limit the ports of the foreign machine, pop-ups will automacally occur, should there be a call to or from same?